blob: 721546c2836516ec43b4b5b3471b07a67da23ad0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.16.16
----------------------
Feature Changes
~~~~~~~~~~~~~~~
- DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. :gl:`#2445`
- The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. :gl:`#2642`
- The default value of the ``max-ixfr-ratio`` option was changed to
``unlimited``, for better backwards compatibility in the stable
release series. :gl:`#2671`
- Zones that want to transition from secure to insecure mode without
becoming bogus in the process must now have their ``dnssec-policy``
changed first to ``insecure``, rather than ``none``. After the DNSSEC
records have been removed from the zone, the ``dnssec-policy`` can be
set to ``none`` or removed from the configuration. Setting the
``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
records to be published. :gl:`#2645`
- The implementation of the ZONEMD RR type has been updated to match
:rfc:`8976`. :gl:`#2658`
- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
or the SOA TTL. :gl:`#2347`
Bug Fixes
~~~~~~~~~
- It was possible for corrupt journal files generated by an earlier
version of ``named`` to cause problems after an upgrade. This has been
fixed. :gl:`#2670`
- TTL values in cache dumps were reported incorrectly when
``stale-cache-enable`` was set to ``yes``. This has been fixed.
:gl:`#389` :gl:`#2289`
- A deadlock could occur when multiple ``rndc addzone``, ``rndc
delzone``, and/or ``rndc modzone`` commands were invoked
simultaneously for different zones. This has been fixed. :gl:`#2626`
- ``named`` and ``named-checkconf`` did not report an error when
multiple zones with the ``dnssec-policy`` option set were using the
same zone file. This has been fixed. :gl:`#2603`
- If ``dnssec-policy`` was active and a private key file was temporarily
offline during a rekey event, ``named`` could incorrectly introduce
replacement keys and break a signed zone. This has been fixed.
:gl:`#2596`
- When generating zone signing keys, KASP now also checks for key ID
conflicts among newly created keys, rather than just between new and
existing ones. :gl:`#2628`
Known Issues
~~~~~~~~~~~~
- There are no new known issues with this release. See :ref:`above
<relnotes_known_issues>` for a list of all known issues affecting this
BIND 9 branch.
|
